r00t advisory [ sol 2.5 su(1M) ] [ Aug 25 1996 ]
-- Synposis There exists a vunerability in the su(1M) program that will
allow any user to execute arbitray commands as r00t. To expliot this
vunerability the malicious hacker must have already obtained sgid sys (not
too hard to do!). If sulog doesn't yet exist, su will create it and then
chown() it rather than fchown() it resulting in an easily exploitable race
condition.
-- Exploitability r00t has tested this vunerability and successfully run
the id(1) program as euid r00t from a non root account. A simple C program
that unlinks the sulog and copies your favorite bin and chmod 4755's it
works quite effectively. We have been able to win the race on normally the
4th or 5th try.
-- Fixes ? Our suggestion is to move back to a secure 4.2BSD based
operating system -- or perhaps just undefine sulog in /etc/default/su or
spend a few minutes writing your own version of su.
r00t -- we're all idiots.